You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

How to have your active directory domain and your web site domain be the same?

Location:the crazy city of Boston, In the North East reaches of New England

Local time:04:00 AM

Posted 17 June 2014 - 12:37 AM

Hi all,

I'm noticing something verry interesting. As you probably know, my computer is set up on a domain, for the sheer hell of it, honestly, and I'm wondering if any admins around here, for I know I've seen this done; my college did it when I was there, puts the same domain they use for their web site as their active directory domain? For instance, if someone registered test.org, how to make the web site be http://test.org as well as the root AD domain also be test.org without causing conflicts with DNS resolution either on the web site side or on the domain side? For instance, if your iis or Apache server had an IP address of 123.229.56.25, and your domain controlers had IPs of 123.129.56.223 and 24 respectively, what type of DNS setup would you have to do to ensure that both web surfers and domain logon requesters get the resources they need? So, in the setup we have, the domain internally would be ad.test.org while the site is just test.org. How to make the internal and external domain be able to be the same? Thanks.

BC AdBot (Login to Remove)

Firstly. let's clear up a little confusion.... A bulk of your post talks about DNS domain names, but in one place you bring IP addresses into it.

.."if your iis or Apache server had an IP address of 123.229.56.25, and your domain controlers had IPs of 123.129.56.223"..

You would normally continue to use private addresses (from the ranges 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12) for your network. Even if you are publishing resources from your private network to the outside world, you would still do this - for any resources like that, you would end up with different IP addresses on the inside and outside, so we would need to deal with that after the fact....

The trickery would be how you deal with DNS. You would have two separate DNS infrastructures.

Firstly, A normal external DNS setup (primary and secondary DNS server hosted on ISP DNS servers and containing ONLY the DNS records that you wish to publish to the outside world (MX, www, owa, autodiscover etc) This is exactly as you would have if your internal and external dns names were different.

You would also have your internal DNS zone on your internal DNS servers. This is almost exactly as you would normally have it if your DNS names were separate.

The "almost" refers to a very few records that refer to externally published resources. Any public resources that need to be accessed from the internal domain need to be included in this copy of the zone (for example www ), and (depending on how you want things to work) you may point certain records to the internal or external IP address of the resource ( owa / autodiscover etc). DNS records that have a Windows or AD special meaning should ONLY point to internal IP addresses ( ie myexchangeserver.test.org = 192.168.1.10 but owa.test.org =123.45.67.8 )

The other important point is that internal servers/workstations etc ONLY refer to the internal DNS servers for name resolution NOTHING else. No exceptions!!! (really!)

So how to Internal machines resolve outside names (for other domains)? Set up forwarders on all internal DNS servers. Use the ISP DNS resolvers (the DNS servers specified with your connection but not necessary holding your external domain).

So... Internal machine only talk to internal DNS server - these know how your AD domain works (and a little info about how to access things like your external web server). External access (anyone outside) just see public DNS information as normal...

This also works for having your internal AD domain as a subdomain of your external name.. The Internal zone is ad.test.org, and the external just test.org... The external version needs tow nothing of the internal version - no delegations, nothing....

All of the above is only really worth doing if you are setting something up from scratch.. Changing an existing internal domain would be very difficult (if possible in your case at all) don't even consider that!.